The CISO role has been undergoing a dramatic and rapid maturation process in the past several years. Today, CISOs have evolved from security officers to respected and regarded members of the business C-suite, taking part in strategic planning, sensitive decision making, and making their voices and opinions heard in the boardroom. This evolution required a perspective shift for many CISOs and brought about a need to find a balance between demonstrating their technical chops and being considered security experts, to showing that they actually understand how cyber risk can impact the business.
Building trust and fostering relationships with the C-suite helps cement the foundations for future understanding and interest in security as a business concern. CISOs should not focus too much on tech jargon and instead show how security can impact the organization, identify what can impede strategic objectives, offer options for mitigation, and guide how the C-suite can help.
There have been several underlying reasons for this evolution in CISO leadership:
- The impact of cyber-attacks on business efficiency, output and continuity has made business leaders aware that they must prioritize security as a business concern, not as a niche line in the IT budget.
- Because of digital transformation and the new modern working environment, users are no longer constrained to on-premise networks and environments. Remote work and cloud migration have eased business processes, but created a host of security challenges that have bolstered the CISO’s responsibilities and accountability.
- CISOs today have a unifying role within businesses, ensuring that employees view security as a priority and empowering them to become security advocates within their teams. They do so by promoting the value that security provides not only for the company’s safety, but also enables the business.
CISOs have become accustomed to being considered “the office of no.” For years, the perception of security has been of an isolated function sitting in an ivory tower. As security has become increasingly important, CISOs can no longer afford to be thought of in this manner. They need to build trust and find a balance between understanding the threat landscape and its impact and turning “no” into “yes” to ensure that the entire organization is on board.
The modern CISO has to work with business leaders to build a holistic security strategy with goals that build value for the entire organization. As the CISO-in-Residence at cybersecurity-focused VC firm YL Ventures, I advise our founders to build security solutions that deliver business value at business speed, resolving the gap between business and tech latency. We need better, more modern approaches for securing today’s digitally-led businesses so that security transforms from a potential hindrance to a proper enabler.
When thinking about security strategies, asking the type of incident that keeps us up at night does not get to the heart of the matter. It’s better framed as: what are the organization’s most important assets and processes? This keeps CISOs focused on building a security strategy around these crown jewels, and correlates directly with business objectives. As market turbulence affects security strategies along with a host of other processes, CISOs must remain focused on showing the value they hold for the organization and its various teams in order to implement their strategy.
CISOs know that during the best of times, security may remain a small percentage of the organization’s overall IT budget. With the market decline, scaling the number of security professionals has become a pipe dream. Forward-thinking CISOs must quickly realize that rather than growing their team, they should double-down on resolving business latency, focus on automation, and consider lean business-focused approaches teams that can make a bigger impact.
As markets continue to fluctuate, layoffs have become a sobering reality for many companies. This stark shift from the highs of 2021 presents an uncomfortable security concern. Depending on the industry and how the market affects it, layoffs can lead to more uncertainty, disgruntled employees, and, inevitably, heightened risk. Organizations need to discuss how insider threats translate to potential business and security risks and how they should approach security issues before an incident.
The evolution in CISO leadership will continue to challenge the outdated borders between security and business, especially as market turbulence continues to impact business outcomes, and growing attacks impact business continuity. CISOs have to find creative ways to articulate a fundamental truth: cybersecurity risk is business risk. Top management also needs to consider CISOs part of the C-suite and receive the support of executive leadership and convey that the conversation isn’t about security itself, it's about bottom-line revenue for the company and moving the business forward.
Frank Kim, CISO-in-Residence, YL Ventures